Appthority: Uber App Puts Personal, Corporate Data At Risk

According to the press release, the app leaves users open to spear phishing, watering-hole attacks and widespread privacy breaches. Uber’s incomplete privacy policy, location tracking and “moving experience” are just a few of the issues that make the app susceptible to breaches.

The launch of Uber for Business means that the locations of C-level executives, salespeople, developers and others could pose a potential physical threat. In addition, meeting agendas can also be exposed.

The report also found that the newer versions of Uber apps don’t enforce https connections and are sending data unencrypted, while the app now has 26 services running in the background as of this month (that number was zero in early 2015).

There are also more than 600 third-party apps and services integrating with Uber’s Application Programming Interfaces (APIs), with 84 percent of the apps using the /estimates/time API and 61 percent of the apps using the /history API on unencrypted connections with remote servers. This means a user’s data could be collected and saved even when the app is not in use.

“Uber’s app and connected convenience apps are a direct threat to personal and corporate data,” said Dr. Su Mon Kywe, Appthority’s lead research scientist on this investigation. “With its latest app and privacy policy updates, Uber has been moving in the direction of asking for more user information but also is not enforcing secure connections or strong privacy policies when accessing or sharing that data. Enterprise security departments should be deeply concerned about Uber’s security practices.”